Support offline scan option in trivy (#909)

Signed-off-by: He Weiwei <hweiwei@vmware.com>
goharbor · Jun 8, 2022 · b64a6fa · b64a6fa
1 parent 58680c2
commit b64a6fa
Show file tree

Hide file tree

Showing 10 changed files with 66 additions and 0 deletions.
diff --git a/apis/goharbor.io/v1beta1/harbor_types.go b/apis/goharbor.io/v1beta1/harbor_types.go
@@ -467,6 +467,12 @@ type TrivyComponentSpec struct {
 	// The flag to enable or disable Trivy DB downloads from GitHub
 	SkipUpdate bool `json:"skipUpdate"`
 
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	// Option prevents Trivy from sending API requests to identify dependencies.
+	// This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
+	OfflineScan bool `json:"offlineScan"`
+
 	// +kubebuilder:validation:Required
 	Storage HarborStorageTrivyStorageSpec `json:"storage"`
 }

diff --git a/apis/goharbor.io/v1beta1/trivy_types.go b/apis/goharbor.io/v1beta1/trivy_types.go
@@ -73,6 +73,10 @@ type TrivySpec struct {
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default="5m0s"
 	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	OfflineScan bool `json:"offlineScan"`
 }
 
 type TrivyUpdateSpec struct {

diff --git a/charts/harbor-operator/templates/crds.yaml b/charts/harbor-operator/templates/crds.yaml
@@ -11314,6 +11314,13 @@ spec:
                       node''s labels for the pod to be scheduled on that node. More
                       info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
                     type: object
+                  offlineScan:
+                    default: false
+                    description: Option prevents Trivy from sending API requests to
+                      identify dependencies. This option doesn’t affect DB download.
+                      You need to specify "skip-update" as well as "offline-scan"
+                      in an air-gapped environment.
+                    type: boolean
                   replicas:
                     description: 'Replicas is the number of desired replicas. This
                       is a pointer to distinguish between explicit zero and unspecified.
@@ -15707,6 +15714,13 @@ spec:
                       node''s labels for the pod to be scheduled on that node. More
                       info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
                     type: object
+                  offlineScan:
+                    default: false
+                    description: Option prevents Trivy from sending API requests to
+                      identify dependencies. This option doesn’t affect DB download.
+                      You need to specify "skip-update" as well as "offline-scan"
+                      in an air-gapped environment.
+                    type: boolean
                   replicas:
                     description: 'Replicas is the number of desired replicas. This
                       is a pointer to distinguish between explicit zero and unspecified.
@@ -35007,6 +35021,9 @@ spec:
                   component to fit on a node. Selector which must match a node''s
                   labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
                 type: object
+              offlineScan:
+                default: false
+                type: boolean
               proxy:
                 properties:
                   httpProxy:

diff --git a/controllers/goharbor/harbor/manifests/trivy/default-expected.yaml b/controllers/goharbor/harbor/manifests/trivy/default-expected.yaml
@@ -9,6 +9,7 @@ metadata:
   namespace: default
 spec:
   log: {}
+  offlineScan: false
   redis:
     database: 5
     host: 127.0.0.1

diff --git a/controllers/goharbor/harbor/manifests/trivy/expose-core-with-tls-expected.yaml b/controllers/goharbor/harbor/manifests/trivy/expose-core-with-tls-expected.yaml
@@ -9,6 +9,7 @@ metadata:
   namespace: default
 spec:
   log: {}
+  offlineScan: false
   redis:
     database: 5
     host: 127.0.0.1

diff --git a/controllers/goharbor/harbor/manifests/trivy/github-token-expected.yaml b/controllers/goharbor/harbor/manifests/trivy/github-token-expected.yaml
@@ -9,6 +9,7 @@ metadata:
   namespace: default
 spec:
   log: {}
+  offlineScan: false
   redis:
     database: 5
     host: 127.0.0.1

diff --git a/controllers/goharbor/harbor/trivy.go b/controllers/goharbor/harbor/trivy.go
@@ -164,6 +164,7 @@ func (r *Reconciler) GetTrivy(ctx context.Context, harbor *goharborv1.Harbor, ha
 			CertificateInjection: harbor.Spec.Trivy.CertificateInjection,
 			Proxy:                harbor.GetComponentProxySpec(harbormetav1.TrivyComponent),
 			Network:              harbor.Spec.Network,
+			OfflineScan:          harbor.Spec.Trivy.OfflineScan,
 		},
 	}, nil
 }
diff --git a/controllers/goharbor/trivy/configs.go b/controllers/goharbor/trivy/configs.go
@@ -52,6 +52,7 @@ func (r *Reconciler) GetConfigMap(ctx context.Context, trivy *goharborv1.Trivy)
 			"SCANNER_TRIVY_SEVERITY":       trivy.Spec.TrivySeverityTypes.GetValue(),
 			"SCANNER_TRIVY_IGNORE_UNFIXED": strconv.FormatBool(trivy.Spec.Server.IgnoreUnfixed),
 			"SCANNER_TRIVY_SKIP_UPDATE":    strconv.FormatBool(trivy.Spec.Update.Skip),
+			"SCANNER_TRIVY_OFFLINE_SCAN":   strconv.FormatBool(trivy.Spec.OfflineScan),
 			"SCANNER_TRIVY_INSECURE":       strconv.FormatBool(trivy.Spec.Server.Insecure),
 
 			"SCANNER_STORE_REDIS_NAMESPACE":    trivy.Spec.Redis.Namespace,

diff --git a/manifests/cluster/deployment.yaml b/manifests/cluster/deployment.yaml
@@ -11333,6 +11333,13 @@ spec:
                       node''s labels for the pod to be scheduled on that node. More
                       info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
                     type: object
+                  offlineScan:
+                    default: false
+                    description: Option prevents Trivy from sending API requests to
+                      identify dependencies. This option doesn’t affect DB download.
+                      You need to specify "skip-update" as well as "offline-scan"
+                      in an air-gapped environment.
+                    type: boolean
                   replicas:
                     description: 'Replicas is the number of desired replicas. This
                       is a pointer to distinguish between explicit zero and unspecified.
@@ -15731,6 +15738,13 @@ spec:
                       node''s labels for the pod to be scheduled on that node. More
                       info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
                     type: object
+                  offlineScan:
+                    default: false
+                    description: Option prevents Trivy from sending API requests to
+                      identify dependencies. This option doesn’t affect DB download.
+                      You need to specify "skip-update" as well as "offline-scan"
+                      in an air-gapped environment.
+                    type: boolean
                   replicas:
                     description: 'Replicas is the number of desired replicas. This
                       is a pointer to distinguish between explicit zero and unspecified.
@@ -46340,6 +46354,9 @@ spec:
                   component to fit on a node. Selector which must match a node''s
                   labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
                 type: object
+              offlineScan:
+                default: false
+                type: boolean
               proxy:
                 properties:
                   httpProxy:

diff --git a/manifests/harbor/deployment.yaml b/manifests/harbor/deployment.yaml
@@ -11333,6 +11333,13 @@ spec:
                       node''s labels for the pod to be scheduled on that node. More
                       info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
                     type: object
+                  offlineScan:
+                    default: false
+                    description: Option prevents Trivy from sending API requests to
+                      identify dependencies. This option doesn’t affect DB download.
+                      You need to specify "skip-update" as well as "offline-scan"
+                      in an air-gapped environment.
+                    type: boolean
                   replicas:
                     description: 'Replicas is the number of desired replicas. This
                       is a pointer to distinguish between explicit zero and unspecified.
@@ -15731,6 +15738,13 @@ spec:
                       node''s labels for the pod to be scheduled on that node. More
                       info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
                     type: object
+                  offlineScan:
+                    default: false
+                    description: Option prevents Trivy from sending API requests to
+                      identify dependencies. This option doesn’t affect DB download.
+                      You need to specify "skip-update" as well as "offline-scan"
+                      in an air-gapped environment.
+                    type: boolean
                   replicas:
                     description: 'Replicas is the number of desired replicas. This
                       is a pointer to distinguish between explicit zero and unspecified.
@@ -35056,6 +35070,9 @@ spec:
                   component to fit on a node. Selector which must match a node''s
                   labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
                 type: object
+              offlineScan:
+                default: false
+                type: boolean
               proxy:
                 properties:
                   httpProxy: